stacks interacting over LAN? (newbie)

Alex Tweedly alex at tweedly.net
Wed Dec 1 16:20:29 EST 2004


At 20:21 01/12/2004 +0100, Björnke von Gierke wrote:

>Dear Frank, Richard
>
>You both raise valid concerns. However there is barelay a chance getting 
>someone to interrupt your communication. In fact, I have yet to hear of 
>such an attempt executed, anywhere (besides rumors about the US 
>government). While direct exploits of programmatically errors I have heard 
>of quite often.

There have been attempts to hijack TCP connections in the course of them 
being opened. There was a spate of them around ten years ago, aimed at the 
backbone routers in Europe; I've never heard of any being successful, but 
there have certainly been attacks aimed at that vulnerability.

>The chatrev protocol is strict. The client ignores every malformed 
>message, the server disconnects you if you send wrong data. Of course I 
>can not guarantee the integrity of the underlying TCP/IP stack,  but then 
>who can? There is a certain degree of trust involved. Chatrev users trust 
>me, as I both "made" the protocol, and I do host the server. I trust 
>RunRev to deliver a secure internet expirience. They trust the people that 
>made the tcp implementation they use. And so on.
>If you both are so concerned about the security of the Chatrev users, why 
>don't you join us in the chat, or try to dissect the protocol and give us 
>some security tips?

I'd agree that this is a minimal risk, but if you decided it was worth 
worrying about, there are some possibilities ..... ranging from a simple 
password which must be supplied in the start of the transfer, through to 
md5 keys (a la rfc 2385, though implemented in the application since most 
TCPs won't support it).

The most interesting would be to simply pass the file transfer via the 
server. This would avoid any client ever having to "accept" 
connections.  This would have the added side benefit that it would allow 
two clients, both behind firewalls and/or NATs to transfer files, which 
they probably cannot do directly.

-- Alex.
P.S. I will be joining the chat ... any particular time(s) you tend to "meet" ?


More information about the use-livecode mailing list